Is android's FDE secure from offline attacks?Last I checked, Android doesn't support FDE unless you have passphrase locking enabled. I've tested on KitKat (4.4.2) and Ice Cream Sandwich (4.0.4) and neither supported FDE with a 6-digit PIN; the encryption wizard forced me to switch the lock mode before allowing encryption.

Mar16

comment

Session Fixation - Is that even an issue here?@Mercious You can never be 100% sure that you didn't miss something. Everything has bugs, and you might not even be responsible for the bug that results in XSS (or a similar impact) on your site. As I noted, SOP bypass bugs in browsers are relatively common, so you should account for them where possible. Besides, the fix for session fixation on login is just to regenerate the token on login - it's not a lot of work.

Session Fixation - Is that even an issue here?@Mercious You're also presuming that the user's browser is without bugs. What if there's a same-origin policy violation bug in the user's browser, and an attacker leverages it to create a cookie across origins onto your domain? With your session fixation issue present, your user's account gets hijacked. If you fix that bug, they're not quite so boned.

Mar16

comment

Session Fixation - Is that even an issue here?@Mercious Major, major flaw in your thinking: XSS doesn't have to be from standard user input. It could be from the Referer, the URI itself, HTTP headers, external content (e.g. included jquery.js), or even DOM-based from some dodgy JavaScript. Your filters may also be defective, ineffective against certain character classes (UTF-8, etc.), or not have 100% coverage. You should never presume that XSS will not be a problem.

How can I securely delete items in a database?There's no way to recover it from the database itself - there's no UNDELETE or similar. The only way to get at the deleted data is to read the database file on disk and extract latent data.